The Personal Data Commissioner in Cyprus slaps record fines for data violations
The Office of the Commissioner for Personal Data Protection in Cyprus, an independent public authority responsible for monitoring the implementation of Regulation (EU) 2016/679 (GDPR) and other laws in Cyprus has slapped three related companies with €82,000 fines totalling after ruling that their use of an automated formula to monitor and manage the 800 employees’ sick leaves was in violation of privacy laws.
In a separate violation, she also slapped a €9,000 administrative fine on the Labour ministry’s social insurance services (YKA) for allowing leaks of personal data from its system.
In a report released on Monday, commissioner Irene Loizidou Nicolaidou said that her office received a complaint in June 2018 from the trade union SEK alleging that LGS Handling Ltd, Louis Travel Ltd and Louis Aviation Ltd had applied the Bradford Factor, an automated system aimed at managing and monitoring workers’ sick leaves.
The formula in question is used in human resource management as a means of measuring worker absenteeism.
According to the commissioner, the date of the sick leave and the frequency of sick leave for a person in so far as his or her identity is revealed directly or indirectly constitute specific categories of personal data.
“Feeding an automated system with personal data, calibrating them using the ‘Bradford Factor’ and then drawing up profiles of individuals based on the output, is deemed as processing of personal data,” the report said.
The commissioner said that this practice lacked legal basis and had to be discontinued.
Though the companies in question had the right to monitor the frequency of sick leaves, the report said, “such a right, however, should not be abused and should also be exercised within the limits set by the relevant legislative framework.”
“Employers cannot exercise unlimited control and supervision over their employees, violating their personality,” it said.
Grading sick leave goes beyond the employer’s competence because, this way, they make themselves “a physician or health professional and ‘punish’ employees who take sick leave on specific days of the week or month.”
The commissioner fined LGS Handling with €70,000, Louis Travel with €10,000 and Louis Aviation with €2,000.
The report said that a number of factors were taken into account in calculating the penalties, including the number of employees, 818 in total, the nature and duration of the infringement and the turnover of the companies concerned.
The YKA case relates to the arrest in 2017 of a 43-year-old female Cyta employee and a 68-year-old former policeman who was working as a private detective after it emerged that the woman was passing on personal telecommunication data to him.
Documents from the YKA system were also found in the 68-year-old’s house. It emerged that two YKA officials who had access to that information, were able to print screen the documents in question and hand them over to the 68-year-old.
According to the commissioner, YKA failed to properly inform her of this security breach in its system, adding that the security measures taken by the service at the time were inadequate.